<<< Date Index >>>     <<< Thread Index >>>

Security researchers organization



> From: Russ [mailto:Russ.Cooper@xxxxxxxx]
> (Was: Vulnerability Disclosure Formats (was "Re: Funny article"))
> <snip http://tinyurl.com/ve83>
> Thor Larholm proposed the idea of a "Union" to me. While I don't like 
> the concept of union's in this day and age, our field is one that 
> could benefit from such an idea wrt discoverers. They are far too 
> often bashed (and I have been guilty of this), and often not 
> recognized for what they do.

Whenever I talk about this issue, wording becomes an issue :)

"Union" is undoubtedly the wrong phrase. What I would like to see
created is an organization that would promote and protect the interests
of security researchers, plain and simple. There is currently no
organization that exists solely to guide, help and represent security
researchers on a larger scale, yet we can all recognize the need.

We have all seen organizations, proposals and disclosure guidelines that
are created by vendor for vendors, by governments for governments, even
by staticians for staticians. All of these provide little to no
incentive for most researchers to undertake extensive requirements,
particularly for non-corporate based researchers that do not strive to
put a standards label on their scoreboard. All of these fail to aid and
simplify the work required of any researcher who has already voluntarily
spent a considerable amount of their time to review, assess and
understand the intricate processes of the vendors product, sometimes
better than the vendor itself. All of this is particularly important to
remember as the vast majority of researchers are reporting
vulnerabilities on a completely voluntary, non-contractual,
non-commissioned basis, freely helping the vendor to secure their
products. 

Helping establish contact with vendors, crediting the work of
researchers, offering assistance and third party review, leveraging the
knowledge of experienced researchers, lobbying against anti-research
legislation, even acting as a proxy between researcher and vendor when
the researcher so desires (more often than not out of fear of legal
reprimande from the vendor) - there are so many ways that we could
benefit from an organization created by researchers for researchers.

A lot of people have proposed organizations that deal with one or
another of these aspects, though not all. Most recently, Mark Rasch
proposed an ISAC (Information Sharing and Analysis Center) like the IT
industry, telecommunications industry and banking industry has (
http://www.securityfocus.com/columnists/197 ). A security researchers
organization could not only advance such ideas as parts of its
operations, but even apply the sufficient representation and lobbying of
thousands of organized researchers to establish concepts such as bug
bounties as Mark suggests.

We are a wide, international and differing group of researchers, some
with malicious and others with altruistic intents for finding security
vulnerabilities. Despite our differences we have much in common - we are
deeply interested in advancing our knowledge of security and information
technology, we find vulnerabilities, we want the vendor to know about
these at some point in time and we want to be accredited for our
findings. These are all common ideals we can agree and act upon, without
having to be of the same persuasion about which disclosure policy is the
best. Just as the uniting workers of the last century organizing worker
unions, we are a differing group of individuals with common goals to
fight for. We want our work to be respected and valued, we want
credibility and influence.

Establishing an organization that represents security researchers is not
just for the good of researchers themselves, it is for the good of the
community and industry as a whole. The vendors would most definitely
benefit from an organization such as this, suddenly being able to
approach and debate with a single organization representing thousands of
individual researchers as opposed to the status quo of debating
guidelines with thousands of disparate individuals - the latter
essentially being a moot point.

I have talked with a variety of seasoned security professionals about
this idea, and everybody recognizes the need. With the proper backing
and support, I can most definitely see such an organization take root
and I am more than willing to help in any such effort.


Regards

Thor Larholm
Senior Security Researcher
PivX Solutions
24 Corporate Plaza #180
Newport Beach, CA 92660
http://www.pivx.com
thor@xxxxxxxx
949-231-8496

PivX defines "Proactive Threat Mitigation". Get a FREE Beta Version of
Qwik-Fix <http://www.qwik-fix.net>